Fwd: FreeBSD Security Advisory FreeBSD-SA-14:18.openssl
Ronald Klop
ronald-lists at klop.ws
Mon Oct 20 11:36:01 UTC 2014
Install port security/ca_root_nss and use:
fetch --ca-cert=/usr/local/share/certs/ca-root-nss.crt
http://security.FreeBSD.org/patches/SA-14:18/openssl-10.0.patch
That works. And still checks validity of the https server as long as you
trust the ca_root_nss port.
But I think it is kind of lame the default certificates from base don't
work out of the box.
Ronald.
On Mon, 20 Oct 2014 12:22:32 +0200, tethys ocean <tethys.ocean at gmail.com>
wrote:
> I am using FreeBSD 10.0-STABLE on my servers. But according to this
> mail
> I tried
>
> [FreeBSD 10.0]
> # fetch http://security.FreeBSD.org/patches/SA-14:18/openssl-10.0.patch
> # fetch
> http://security.FreeBSD.org/patches/SA-14:18/openssl-10.0.patch.asc
> # gpg --verify openssl-10.0.patch.asc
>
> But my server say this below:
>
> fetch http://security.FreeBSD.org/patches/SA-14:18/openssl-10.0.patch
> Certificate verification failed for /C=US/ST=UT/L=Salt Lake City/O=The
> USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
> 675119676:error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
> failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1180:
> fetch: http://security.FreeBSD.org/patches/SA-14:18/openssl-10.0.patch:
> Authentication error
>
> What should I do ?
>
> thanx
>
>
>
> ---------- Forwarded message ----------
> From: FreeBSD Security Advisories <security-advisories at freebsd.org>
> Date: Tue, Sep 9, 2014 at 2:04 PM
> Subject: FreeBSD Security Advisory FreeBSD-SA-14:18.openssl
> To: FreeBSD Security Advisories <security-advisories at freebsd.org>
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> =============================================================================
> FreeBSD-SA-14:18.openssl Security
> Advisory
> The FreeBSD
> Project
>
> Topic: OpenSSL multiple vulnerabilities
>
> Category: contrib
> Module: openssl
> Announced: 2014-09-09
> Affects: All supported versions of FreeBSD.
> Corrected: 2014-08-07 21:04:42 UTC (stable/10, 10.0-STABLE)
> 2014-09-09 10:09:46 UTC (releng/10.0, 10.0-RELEASE-p8)
> 2014-08-07 21:06:34 UTC (stable/9, 9.3-STABLE)
> 2014-09-09 10:13:46 UTC (releng/9.3, 9.3-RELEASE-p1)
> 2014-09-09 10:13:46 UTC (releng/9.2, 9.2-RELEASE-p11)
> 2014-09-09 10:13:46 UTC (releng/9.1, 9.1-RELEASE-p18)
> 2014-08-07 21:06:34 UTC (stable/8, 8.4-STABLE)
> 2014-09-09 10:13:46 UTC (releng/8.4, 8.4-RELEASE-p15)
> CVE Name: CVE-2014-3506, CVE-2014-3507, CVE-2014-3508,
> CVE-2014-3510,
> CVE-2014-3509, CVE-2014-3511, CVE-2014-3512,
> CVE-2014-5139
>
> For general information regarding FreeBSD Security Advisories,
> including descriptions of the fields above, security branches, and the
> following sections, please visit <URL:http://security.FreeBSD.org/>.
>
> I. Background
>
> FreeBSD includes software from the OpenSSL Project. The OpenSSL Project
> is
> a collaborative effort to develop a robust, commercial-grade,
> full-featured
> Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
> and Transport Layer Security (TLS v1) protocols as well as a
> full-strength
> general purpose cryptography library.
>
> II. Problem Description
>
> The receipt of a specifically crafted DTLS handshake message may cause
> OpenSSL
> to consume large amounts of memory. [CVE-2014-3506]
>
> The receipt of a specifically crafted DTLS packet could cause OpenSSL to
> leak
> memory. [CVE-2014-3507]
>
> A flaw in OBJ_obj2txt may cause pretty printing functions such as
> X509_name_oneline, X509_name_print_ex et al. to leak some information
> from
> the stack. [CVE-2014-3508]
>
> OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject
> to
> a denial of service attack. [CVE-2014-3510]
>
> The following problems affect FreeBSD 10.0-RELEASE and later:
>
> If a multithreaded client connects to a malicious server using a resumed
> session and the server sends an ec point format extension it could write
> up to 255 bytes to freed memory. [CVE-2014-3509]
>
> A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate
> TLS 1.0 instead of higher protocol versions when the ClientHello message
> is badly fragmented. [CVE-2014-3511]
>
> A malicious client or server can send invalid SRP parameters and overrun
> an internal buffer. [CVE-2014-3512]
>
> A malicious server can crash the client with a NULL pointer dereference
> by
> specifying a SRP ciphersuite even though it was not properly negotiated
> with the client. [CVE-2014-5139]
>
> III. Impact
>
> A remote attacker may be able to cause a denial of service (application
> crash, large memory consumption), obtain additional information,
> cause protocol downgrade. Additionally, a remote attacker may be able
> to run arbitrary code on a vulnerable system if the application has been
> set up for SRP.
>
> IV. Workaround
>
> No workaround is available.
>
> V. Solution
>
> Perform one of the following:
>
> 1) Upgrade your vulnerable system to a supported FreeBSD stable or
> release / security branch (releng) dated after the correction date.
>
> 2) To update your vulnerable system via a source code patch:
>
> The following patches have been verified to apply to the applicable
> FreeBSD release branches.
>
> a) Download the relevant patch from the location below, and verify the
> detached PGP signature using your PGP utility.
>
> [FreeBSD 10.0]
> # fetch http://security.FreeBSD.org/patches/SA-14:18/openssl-10.0.patch
> # fetch
> http://security.FreeBSD.org/patches/SA-14:18/openssl-10.0.patch.asc
> # gpg --verify openssl-10.0.patch.asc
>
> [FreeBSD 9.3]
> # fetch http://security.FreeBSD.org/patches/SA-14:18/openssl-9.3.patch
> # fetch
> http://security.FreeBSD.org/patches/SA-14:18/openssl-9.3.patch.asc
> # gpg --verify openssl-9.3.patch.asc
>
> [FreeBSD 9.2, 9.1, 8.4]
> # fetch http://security.FreeBSD.org/patches/SA-14:18/openssl-9.patch
> # fetch http://security.FreeBSD.org/patches/SA-14:18/openssl-9.patch.asc
> # gpg --verify openssl-9.patch.asc
>
> b) Apply the patch. Execute the following commands as root:
>
> # cd /usr/src
> # patch < /path/to/patch
>
> c) Recompile the operating system using buildworld and installworld as
> described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
>
> Restart all deamons using the library, or reboot the system.
>
> 3) To update your vulnerable system via a binary patch:
>
> Systems running a RELEASE version of FreeBSD on the i386 or amd64
> platforms can be updated via the freebsd-update(8) utility:
>
> # freebsd-update fetch
> # freebsd-update install
>
> VI. Correction details
>
> The following list contains the correction revision numbers for each
> affected branch.
>
> Branch/path Revision
> -
> -------------------------------------------------------------------------
> stable/8/ r269687
> releng/8.4/ r271305
> stable/9/ r269687
> releng/9.1/ r271305
> releng/9.2/ r271305
> releng/9.3/ r271305
> stable/10/ r269686
> releng/10.0/ r271304
> -
> -------------------------------------------------------------------------
>
> To see which files were modified by a particular revision, run the
> following command, replacing NNNNNN with the revision number, on a
> machine with Subversion installed:
>
> # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
>
> Or visit the following URL, replacing NNNNNN with the revision number:
>
> <URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
>
> VII. References
>
> <URL:https://www.openssl.org/news/secadv_20140806.txt>
>
> <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3506>
>
> <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3507>
>
> <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3508>
>
> <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3509>
>
> <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3510>
>
> <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3511>
>
> <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3512>
>
> <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5139>
>
> The latest revision of this advisory is available at
> <URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:18.openssl.asc>
> -----BEGIN PGP SIGNATURE-----
>
> iQIcBAEBCgAGBQJUDtUBAAoJEO1n7NZdz2rnOUoP/jNoEEPVt1RoVPQoOQc6vno5
> 2HXcCDsu0ql3kCNIIZ7E6TddfduzV04EMzBrIgulg7eXft+Lnx6HlEgJOo7QLImc
> aWLWxjcbyby6wrbYOc+FLK11yx9/uZJF0VCdSeyzhy0EFD3tOZPsDMXKZmG7FRkg
> 6A7ENJU25Mx8V1myzHw/VfDwAHCtXHliFVVE0CUku55pYnlhMeetu/wuB6KYbmgV
> 1WUamiHEGl4Dh4Up7nGHYYm32kqZLaE+cf1Ovc2VGT98ZyXmCgDB4+8kkA/HZxxp
> DRgQlojeQhahee5MmzD+wMJXlq6dekoo+JVf22+Nb+oNmlKT6/UxtUhCwW11MLUV
> rnOMr3u1JCNvBc+3KroSmtFeEtqh7jx3Ag4w8lS5mJO+wX1/lilbsFxSS/9G65fy
> LqHUQSxkuDJ1bNzPfKreBPyUmQlG5t/3DonIDCF9r3sefDN+kxqe1+RwjdNRM0ov
> V7OH/AW1NBQtV/F/h0tKCcskvcJo9Q+inAohheLPnWkFj7F2tLNt5TAxsGy7WvFZ
> MuQSAXpZkdh7OkhAhBM3Xk+EOv7Qk7zZL5HJ1Lpm6kfJ8wSb4etoUV7oELaDMBz8
> +9r+Vr9GtjSsec2a4tjNIixZKV9bzEhgKP5gsWD/JewhAzF+0bYNa9snOWxzpAYb
> j+eW9IT7pEAJK9DtIsDd
> =f4To
> -----END PGP SIGNATURE-----
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to
> "freebsd-security-unsubscribe at freebsd.org"
>
>
More information about the freebsd-stable
mailing list